[IT-4071] Suppress HTTP findings for Bridge buckets (#1335)

ConsoleCatzirl · web-flow · commit 000649952bd4 · 2025-02-24T11:43:11.000-08:00
Suppress CIS 2.1.2 for S3 buckets in Bridge because the application accesses consent form templates in S3 via HTTP.
diff --git a/org-formation/075-security-hub/security-hub-suppress-infra.yaml b/org-formation/075-security-hub/security-hub-suppress-infra.yaml
@@ -354,6 +354,8 @@ Resources:
   # Below this point, rules are defined to send findings to the SecurityHubFindingsQueue above
   # The findings on the queue will be processed by a lambda that will suppress them in SecurityHub
 
+  # Event format: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-event-formats.html
+
   # This rule suppresses findings for the given controls (GeneratorId) in all the accounts
   SuppressFindingsInAllAccountsRule:
     Type: AWS::Events::Rule
@@ -496,3 +498,34 @@ Resources:
           - SecurityHubFindingsQueue
           - Arn
         Id: Target0
+
+  # Suppress all findings for insecure access to S3 buckets in the bridge accounts
+  # because consent forms are accessed via HTTP
+  SuppressFindingsForBridgeAccounts:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: SecHubSuppress findings for HTTP access in Bridge
+      EventPattern:
+        detail:
+          findings:
+            GeneratorId:
+              # Ensure S3 Bucket Policy is set to deny HTTP requests
+              - 'cis-aws-foundations-benchmark/v/1.4.0/2.1.2'
+            Workflow:
+              Status:
+              - NEW
+              - NOTIFIED
+        account:
+        - '420786776710' # bridge-dev
+        - '649232250620' # bridge-prod
+        detail-type:
+        - Security Hub Findings - Imported
+        source:
+        - aws.securityhub
+      State: ENABLED
+      Targets:
+      - Arn:
+          Fn::GetAtt:
+          - SecurityHubFindingsQueue
+          - Arn
+        Id: Target0
